If the security of the PC was compromised before he added the google authenticator, the hacker could copy the key OP generated to set up google authenticator himself that would generate codes that would be the same as OP's. Another possibilty is the device used for generating the codes could have been compromised as it was mentioned above.
The first scenario is always a possibility one must start secure to remain secure. The second possibility is important to bring up because many people may be undermining their "2"FA. If for example your android phone is your second factor device you SHOULD NOT be using apps or accessing the website from that device. If the phone is compromised both your factors are now on the same location. A compromised phone would give the attacker access to both your pasword & gAuth secret key.
One thing people may not be aware of if gAuth doesn't require an active internet connection. I use an old junked smartphone which I removed all apps, disabled all wireless & cellular that sits on my desks as a 2FA "device" for about 20 or so websites. When I am not home it goes in the office safe. Granted that may be a little extreme but eventually everyone is going to have an old smartphone so using a "semi-dedicated" device which is permanently air gapped provides enhanced security on the cheap.
It shouldn't let you reuse a code more than once. In Mt.Gox if I want to quickly withdraw some BTC to two addresses I have to wait a few seconds to send to the 2nd address until a new code is generated because it won't accept the previous one that I have already used (even if it is still valid for a few seconds).
Correct. By the standard the website should never accept the same code twice (even if still valid). It is simple to achieve this. When the site receives the auth code and validates it, it then stores the most recent code in the login/user table. When receiving a new authentication from the user it first checks that the code wasn't the last one received. The site should only store last VALID code to avoid an attacker where attacker "flushes" the code by providing an invalid one, and then the valid one.
Maybe blockchain.info can verify how they ensure no replay attack of 2FA codes.Note it is possible that a severely compromised computer with custom specific purpose malware could still fail. The malware could intercept the code, prevent the computer from sending it to the site and then use the code to perform the action the attacker wants. I would point out if your system is that compromised then just about any wallet (local client, paper wallet input for spending, etc) is at risk.
2FA isn't a magic bullet however it does raise the bar for the attacker. A generic keylogger, or brute force attack would be insufficient to gain access. The goal of any security system is to make it more difficult for the attacker. Can a physical safe be cracked? Sure but having your gold in a safe is better than in a cardboard box.
PSA about public wifi (or other unknown/untrusted internet connectivity):MITM attacks can defeat 2FA pretty easily. The most likely attack scenario will occur when using "public wifi". An attacker can create a hotspot with the same SSID as your regular hotspot (say starbucks) and using a higher output amp "block" the real starbucks wifi (most routers have pretty weak output so this is pretty easy). You connect thinking you are connecting to starbucks but you are connecting to the attacker sitting there drinking a coffee with his laptop. The attacker can MITM any internet browsing. If the website uses SSL the attacker can't easily impersonate that however the attacker could provide you a fake decrypted (
http://blockchain.info vs
https://blockchain.info) version of the site or provide you a "secure" spoofed site (
https://bl0ckchain.info). The real solution is that 802.11 needs to be extended to provide strong cryptographic (CA type solution) authentication and per session SSL type keysharing scheme. Baring the development of a standard I would highly recommend NOT using public wifi for sensitive tasks (or route all communication via VPN when on public wifi) and double check that the website is operating over https and the url is correct.